50 Years of Safety: A Partnership for Safe and Secure Success

This article is part of a series celebrating the 50-year anniversary of the world’s first TÜV-certified safety controller for plant process automation. It explores how a pioneering partnership between HIMA Paul Hildebrandt GmbH and TÜV Rheinland Industrie Service GmbH has been at the center of efforts to rethink and reconceptualize how industry addresses the issue of functional safety.

In 1970, HIMA Paul Hildebrandt GmbH launched the world’s first TÜV-certified safety controller for plant process automation: Planar. This milestone kickstarted 50 years of fruitful collaboration between the safety company and TÜV Rheinland, a global leader in test service provision, and was the start of an ongoing relationship that has since proved decisive in the shaping of modern security protocols and standards.

A Story of Consistent Collaboration

A multitude of other first-of-a-kind, joint achievements followed. In 1986, HIMA unveiled the first ever TÜV-certified programmable safety system based on microprocessor technology. Then in 2002, this was followed by the introduction of HIMatrix, a landmark TÜV-approved safety system incorporating safe communication over Ethernet for mechanical engineering and plant manufacturing.

It is, however, in the fashioning of attitudes towards ‘functional safety,’ that the dynamic duo can perhaps claim to have been most influential. Many credit HIMA and TÜV, not only with helping to make Germany a global role model and bearer of industrial safety standards, but also with trailblazing fresh safety approaches that represent a move away from the traditional deterministic view based on single faults.

Pioneering a New Approach to Safety Standards

Over the decades, the way industries think about and deal with safety issues has undergone an evolution. “Safety-related standards predominantly used to focus upon the single component faults, which reflected the large volume of hard-wired, low-complexity technologies in use at the time. Nowadays, though, the emphasis is much more on analyzing highly complex systems with a view to determining the probability of failure and mitigating risk,” explains Heinz Gall, former Specialist in Functional Security and Cybersecurity at TÜV Rheinland.

In the mid-1980s, he was a member of the standardization committee which pioneered this approach and counted as its core stakeholders both HIMA and TÜV Rheinland, alongside the representatives of other industries, academics and the heads of professional associations. “Each side contributed its own particular ideas and knowledge: TÜV Rheinland brought in the rigor of testing methodologies while HIMA had the manufacturing nous and well-forged expertise around safety controllers. This close and dialogical cooperation was essential to the progress made,” he recalls.

One excellent outcome has been the development of new standards for firing technology such as VDE 0116, now DIN EN 50156. The collaboration also gave rise to IEC 61508 as the basic standard for functional safety and IEC 61511 for the process industry on the user side. Meanwhile, HIMA has become an accepted course provider for the TÜV Rheinland Functional Safety Training Program, holding regular courses in cities around the globe.

Accompaniment from Start to Finish

On a day-to-day basis, much of TÜV Rheinland’s partnership with HIMA centers around change tests that are carried out during a safety controller’s lifecycle. Since HIMA’s safety controllers generally exhibit extremely long product lifetimes, periodic modernizations and recertifications tend to be required as part of good product maintenance.

What is especially eye-catching about the HIMA-TÜV relationship, though, is the eagerness of the safety company to integrate TÜV Rheinland from the outset in the concept development of any new products. “It’s important to address possible adverse scenarios that might arise right from inception. TÜV Rheinland give us feedback during development and are also ever-present during verification stages – in fault injection tests, for example. Such tests ensure that safety functions are working as they should,” confides Boris Betz, Product Development Manager at HIMA.

“It simply doesn’t make sense to build something new when there might be new directives, regulations, and best practices to consider. That’s why we regard close and frequent communication with TÜV during the developmental phase to be of fundamental importance,” he elaborates.

HIMA and TÜV Rheinland also carry out so-called fault injection tests. The aim there is to test the measure planned in the concept phase for error control by inducing errors. Naturally, it depends on the complexity of the product precisely when TÜV Rheinland is called in. For example, a safety controller has a significantly longer development time than a safety sensor, with products such as HIQuad X or HIMax taking as many as five to eight years to reach full fruition. Importantly TÜV Rheinland accompanies HIMA every step along that path.

An Adaptive Relationship

Naturally, the manner in which the two teams interact has also evolved over time to reflect changes in modus operandi. Much of the heavy documentation work – the drafting of test reports, design specifications, record keeping and so on – that tends to occur towards the end of a joint project can now be completed remotely. “Originally, it was possible to do documentation in paper form in manageable quantities by post. Today, data transfer at HIMA has gone completely digital,” explains Betz. What’s more, the sheer quantity of data being collected and processed continues to rise. “When recertifying existing HIMA solutions, it has generally been possible to manage with just a few megabytes of data that have to be transferred to testing bodies. In new developments, the amount of data handled can be extremely high. 20 to 30 gigabytes of documentation and data can now be accumulated very quickly,” he confides.

The composition of teams has also become more complex. “In the past, teams were smaller. As the technology has become more complicated, we have reverted more to online meetings involving a wider range of subject matter specialists. Moreover, the proportion of service functions that are not developed by the manufacturer itself, but bought in from external partners, is increasing,” observes Merlin Hilger, Expert for Functional Safety at TÜV Rheinland. Such adaptations are, of course, precisely why the partnership continues to be so effective. “It’s an organic relationship that manages to keep pace with the times,” he affirms.